UPDATED: A lot of people have been asking me about this in the last two days and I thought I’d summarise my observations here. Please leave a comment if you think I’ve got something wrong or I haven’t answered a particular question.

The Issue

It seems that Microsoft have had a bug in Internet Explorer 5.01 (released in November 1999) that exists right up to the latest beta of IE 8. Essentially, someone can write a web page that references a non-existent page element causing an error within IE that allows code to be run on the local machine as if it were the current user of the machine. Usually this would manifest itself by using IE to download a piece of code from a 3rd website and silently install it, compromising the PC. (Before anyone comments that I’ve over simplified the problem, I have no intention to get into invalid pointer dereferencing in DHTML arrays in this blog.)

This only affects Internet Explorer – not Firefox, Safari, Opera or Chrome (although I’m still a bit sceptical about the patching regime for Chrome at the moment and am hesitant to recommend it).

Impact

Because the vulnerability essentially means that an attacker can install anything they like on your machine, anything could have been happened. I don’t mean to panic people, but I honestly don’t have any idea how much information or how many machines have been compromised in this way since the vulnerability was discovered.

Let’s get the issue into perspective. We know that at least 10,000 websites have been compromised and, if visited with a vulnerable web browser, will infect your PC. However, given that there are approximately 110.1 million websites being operated, with a total of 550 billion web pages on the Internet, the proportion of the total affected is small.

It’s also fairly safe to say that most of the “big” sites like the BBC, Microsoft, Yahoo, Google, Blogspot and other sites that have big operations behind them will very quickly find compromises in their sites and fix them – they can’t afford the publicity. Those sites being compromised are the smaller sites, being hosted in a chicken shed at the end of the garden.

I’m definitely not saying this isn’t an issue – it is a huge problem. However, equally, I’m not saying we should all run for the hills.

What is happening and what can I do?

Microsoft have stated that they’ve brought forward a patch for this problem to 1pm EST. This will hopefully solve the problem. There are a few things that you can do, in addition to patching your machine by visiting the Microsoft Update Centre. IMPORTANT: if you’re using a PC supported by LSE, or any other organisation, and it’s on the corporate/work network, patching should be done automatically, as it is at LSE. There is a big difference between running a personal computer and having a reliable network with several thousand on at the same time on a corporate network. Please don’t change the configuration of a work PC. If in doubt, contact your support team (at LSE, these can be found here).

If using your own PC, consider the following:

  • Ensure your anti-virus product is up-to-date
  • Make sure you have a properly configured firewall on your PC
  • Consider using a different web browser
  • Patch regularly
  • Only visit web sites you trust
  • Change your passwords regularly
  • Don’t use the same password for every website

It’s also important to note that this whole sorry episode could well be repeated next week, with another vulnerability, or in a different browser. Please be sensible when surfing the web.

I’d welcome any feedback.

UPDATED (18.55, 17/12/2008): Microsoft have released an update page. See: http://support.microsoft.com/?kbid=960714

Advertisements